General Notes[edit | edit source]
This is a small page of information for new developers trying to assemble a FIR file to run initial code on a camera. I will compile from a few sources to (hopefully) make one easy to read page. This is just for older cameras that didn't use encryption, I do not understand encryption at all but if someone wants to add that be my guest :). => See Fir_Security and Firmware_file.
Background[edit | edit source]
Here are notes from a PM from englemarkus. He is explaining how to use the perl script assemble_fw. This is referencing the 1000d and 400d:
Booting: 1. If there's an AUTOEXEC.BIN on the sd card, the firmware will load it to RAM and try to boot it. 2. For booting from an AUTOEXEC.BIN, you have to use FAT16 as a file system and you have to use "EOS_DEVELOP" as a label. 3. You have an address space from 0x00000000 - 0xFFFFFFFF... The original firmware is mapped to 0xFF800000 and is 8 MB in size (= 0x800000). 0xFF800000 + 0x800000 = 0xFFFFFFFF. 4. Fir files are always loaded to 0x800000. Structure of a fir file: 1. Flash Header (0x120 Bytes) 2. Flasher 3. Data Header 4. Data The flasher starts at 0x800120 after the fir file is loaded, as the header is 288 bytes in size. So "$offset" has to be 0x120!
And an email from chuchin regarding getting started with the 1000d:
Hi Andrew, first you will need to decrypt the update flasher use the dissect_fw3_2 tool. In the command line type: x:\1000d dissect_fw3_2.exe e6kr5107.fir It should give you 4 files. You only need the header and the flasher which I have included. With perl use the command line and type: x:\1000d perl assemble_fw It should give you a .fir file. Replace my autoexec.bin file - it is not for the 1000d.
Useful Tools[edit | edit source]
There are a few tools that are quite useful for developers working with FIR files. Each name links to its download location.
A windows program that splits the firmware up into the different parts explained earlier so that you can pack your own autoexec.bin to replace the payload in the original firmware update. You will get 3 files, the header, the flasher and the payload. Use these with assemble_fw as explained next.
A perl script that takes your autoexec.bin and combines it with the header and flasher from the updater fir, to create your new fir. The checksum is also corrected before the final .fir file is spit out. You will need to edit the offset setting depending on what camera you are working on. This is what englemarks was referring to earlier about an offset of 0x120 (this is for 1000d).
A python script used for analyzing FIR files. It gives a lot of useful information in an easy to read format; each offset and the information there. It can also extract the payload from a .FIR file and decrypt it (some, i think. Not sure about AES encrypted cameras). Here is a sample output, from a 1000d v1.0.7 update:
coutt1aj:downloads coutt1aj$ python fir_tool2.py e6kr5107.fir Fir_tool 0.5 (20Mar2010) fileLen = 0x715cfc ---.fir header--- 0x000: modelId = 0x80000254, (1000D / Rebel XS, VxWorks) 0x010: version = 1.0.7 0x020: checksum = 0xc7902bcd 0x024: updater1 header = 0xb0 0x028: updater1 offset = 0x120 0x02c: updater2 offset = 0xffffffff 0x030: firmware offset = 0x1a0190 0x034: 0xffffffff 0x038: embedded file size = 0x715cfc 0x03c: 0x0 0x040: sha1 seed = 0xd54a6484 0x044: 0x00000004 0x00000000 0x00000020 0x00000024 0x00000044 0x000000b0 0x001a00e0 0x060: 0x1a0190 0x064: firmware length = 0x575b6c 0x068: updater1 hmac-sha1 = 9d131fc81c605427a4bb4490f04669efbc510e11 0x088: firmware hmac-sha1 = 6f31a5573fec1b159290228aadbeec4d71ce5c2b ---updater1 header--- 0x0b0: updater1 length = 0x1a0070. starts at 0x120 0x0b4: 0x1a0070 0x0b8: 0x0 0x0bc: xor seed value = 0x933629ce 0x120: --- updater1 (ciphered) --- ---firmware header--- 0x1a0190: (+0x000), offset to decryption data = 0xc 0x1a0194: (+0x004), offset to encrypted data = 0x7c. starts at 0x1a0190 0x1a0198: (+0x008), total firmware length (including header) = 0x575b6c. starts at 0x1a0190 - 0x1a019c: (+0x00c), firmware length (encrypted part) = 0x575af0. starts at 0x1a020c 0x1a01a0: (+0x010), 0x00575aea 0x1a01a4: (+0x014), 0x0 0x1a01a8: (+0x018), 0xba510112 0x1a01ac: (+0x01c), 7c5bb4cfd6c106db1246f70e541961c1 0x1a01bc: (+0x02c), e3ea4f2f40551f7fcb1413f2288f50237c920d289a46e6cc6c3c013faee45faf 0x1a01dc: (+0x04c), da5bd5dbcdecd8c318d17d763a11149b 0x1a01ec: (+0x05c), 0de3c8cabf01ced75a08583ffefd4f8fee9f22c44167d15840f269e96d556cd0 ---firmware (encrypted)--- 0x1a020c: (+0x07c) ==Useful links / readings==
A list of commands:
coutt1aj:downloads coutt1aj$ python fir_tool2.py -h Usage: fir_tool2.py [options] filename Options: -h, --help show this help message and exit -z, --zeros print fields usually filled with zeros -c, --checksum verify checksum(s) -x, --extract extract updater(s) code -v, --verbose verbose mode ==Where do I start??==
First you must analyze a Canon update to extract a firmware dump from that (well, a partial one, at least enough to look through).
Then create a small project to run, something simple like dump the firmware so that you can view a bin file. After you have a firmware dump, you can find functions like the EnableBootDisk function which sets the bootflag (camera will load autoexec.bin files on bootable sd cards without needing to run FIR files anymore), dumpf to view the debug message log, and LED addresses.
I have hosted in a repository on my bitbucket a very simple project Indy has sent me from his testings on a 450d. He was able to get a firmware dump, dump the debug log and flash the LED. This is a very good starting point for development on VxWorks cameras. Link here.
Other Information[edit | edit source]
These are links to other wiki pages that are good to read. Many thanks to those devs who have taken the time to take notes for us :)
- fir_tool2.py on the 7d. Indy explains fir_tool with samples from the 7d updater: here
- Explanation of FIR file header and what is at each offset (more links to other resources): here
- 40d development - early stages working with .fir files: here
Closing[edit | edit source]
So that's pretty much all you'll need to start. That is ofcourse if you are working on something older :P for these newer cameras, I will leave it to Indy to edit if he wishes as this is his area of expertise ;)